On the Properties of Algebraic Geometric Codes as Copy Protection Codes

Traceability schemes that are applied to broadcast encryption can prevent unauthorized parties from accessing the distributed data. In a traceability scheme, a distributor broadcasts the encrypted data and gives each authorized user a unique key and identifying word from the selected error-correcting code for decrypting. The following attack is possible in these schemes: groups of c malicious users join into coalitions and gain illegal access to the data by combining their keys and identifying codewords to obtain a pirate key and codeword. To prevent this type of attack, classes of error-correcting codes with special c-FP and c-TA properties are used. In particular, c-FP codes are codes that make direct compromise of scrupulous users impossible and c-TA codes are codes that make it possible to identify one of the attackers. We are considering the problem of evaluating the lower and the upper boundaries on c, within which the L-construction algebraic geometric codes have the corresponding properties. In the case of codes on an arbitrary curve, the lower bound for the c-TA property was obtained earlier; in this paper, the lower bound for the c-FP property was constructed. In the case of curves with one infinite point, the upper bounds for the value of c are obtained for both c-FP and c-TA properties. During our work, we have proven an auxiliary lemma and the proof contains an explicit way to build a coalition and a pirate-identifying vector. Methods and principles presented in the lemma can be important for analyzing broadcast encryption schemes’ robustness. Also, the c-FP and c-TA boundaries’ monotonicity by subcodes are proven.


INTRODUCTION
The work discusses a promising method of using error-correction algebraic geometric (AG) codes of L-construction as codes to protect legally replicated digital products from unauthorized copying [1], which is called a special broadcast encryption scheme (SBES). In these schemes, the distributor replicates the data freely in encrypted form, and each legal user is given a unique set of keys and identifying vectors from corresponding linear code for decrypting the data. In a SBES, users apply identifying code vectors to access the data. In case of detection of an illegal use of key, its owner can be identified by the controller. Attacks of the following kinds are possible in SBES: some unscurpulous legal users can unite in coalitions of attackers of some power in order to create pirate identification vectors and keys that can be used for illegal data access, which may lead to various abuses. To fight against such attacks, the authors of [1][2][3] suggest a method of detecting coalition members, based on the use of some linear code classes; description and analysis of the efficiency of such schemes is also presented in [4].
Presently, classes of so called c-TA and c-FP codes are actively investigated and applied in such systems for protection against unauthorized copying. The class of c-TA codes includes such codes for which application of any decoder operating by minimum of code distance to a pirate identification vector allows finding a guaranteed identification vector of an intruder form attacking coalition of power c. A wider class of c-FP codes includes such codes for which a pirate identification vector created by a coalition of power c cannot be an identifying vector of a user outside the coalition, which excludes the possibility of directly compromising innocent users. ∈ \{1} c N Problems of searching for new classes of error-correction codes for their further use in SBES as well as specification of boundaries at which properties of c-TA and c-FP are satisfied seem actual. In [3], the possibility of application of some Reed-Solomon codes as c-TA codes is shown, and, in [5], boundaries of the values c for Reed-Solomon codes, at which they are c-TA and c-FP codes, are shown. Work [6] presents the possibility of application of q-ary Reed-Maler codes as both c-TA and c-FP codes, as well as the research of corresponding boundaries. Work [3] demonstrates the possibility of the application of some algebaric geometric codes of L-construction and [7] presents sufficient conditions of the presence of the property c-TA of AG codes as well as the condition of applicability of some list decoders for AG codes of L-constuction in SBES.
In this work, we calculated the lower bound for the c-FP property boundary in case of AG codes on arbitrary curves and proved monotonicity of boundaries of the c-FP property and the c-TA property by subcodes. The upper bounds for boundaries of c-FP and c-TA properties are calculated for AG codes on special classes of curves with a single infinite point. 1. CLASSES OF c-TA AND c-FP CODES Below, we will use standard notation from the coding theory (see [8]). Assume that C is the linear code, obviously, where is the Hamming distance between x and y.
Let . We will call set C, where , coalition of code . We will call the number c the power of the coalition, and the set of coalition of code C of power not greater than c will be denoted as . Apparently, c is significantly less than the power of code C. The set of descendants of the coalition C 0 is the set Linear code C is called c-TA code [1, Definition 1.1], if the following condition is satisfied: Note that if the c-TA property is satisfied for code C, then for any vector no coalition of power not greater than c can generate a descendant ω by combining the elements of its code vectors, which is closer to v than to this coalition. The TA compromising set for code C is the set (see [6, p. 101]). In this way, to prove that the c-TA property is not satisfied for code C, it is enough to build code vector v, coalition C 0 of power of maximum of c, and descendant of this coalition ω such that the distance from this descendant ω to v is less than the distance from this descendant ω to any member of the coalition.
We will call linear code C c-FP code [1, Definition 1.1], if the following condition is satisfied: In this way, if the c-FP property is satisfied for code C, then no coalition of power not greater than c can generate another code vector by combining the elements of its code vectors. The FP compromising set for code C is the set (see [6, p. 101]). In this way, to prove that the c-FP is not satisfied for code C, it is enough to build a coalition of power not greater than c and a code vector such that the code vector is a descendant of this coalition. The sets and are integer segments We will call the values and the bounds of compromising sets. The definitions imply the following embedding and inequality: Let us prove the lemma about monotonicity of the properties TA and FP.

Lemma 1. Let and be the linear codes in and be the subcode of . Then,
Proof. Let such that Then, accounting that , we obtain In this way, if the c-TA property for code is not satisfied for , then the c-TA property is also not satisfied for code ; thus, The second inequality is proved in the same way. A similar lemma was proved in [9, Theorems 2 and 4] for Reed-Maller codes.

ALGEBRAIC GEOMETRIC CODES OF L-CONSTRUCTION 2.1. Basic Concepts
Below, we will apply approaches to AG codes of L-construction from [10,11]. Let us consider a finite field and polynomial rings . We will denote the set of homogeneous polynomials from as .
Note that there is a one-to-one correspondence between polynomials f from and homogeneous polynomials F from [11, pp. 106-107], which is determined by the following rule. If d is the maximal power of a monomial in the polynomial , then F is obtained from f by replacement of each monomial with a monomial This correspondence is called projectivization.
If a point P has affine coordinates then projective coordinates of this point will be denoted as in the case of an infinite layer the third projective coordinate is zero [10, pp. 7-8]. Let is the plane smooth projective curve over the field , set by an irre- We will denote the main ideal in generated by as F. In the ring with natural operations of addition and multiplication, let us consider the maximal ideal [11,Subsection 2.5.4] Then, the factor ring is a field, and it is called the field of rational functions on the curve X and is denoted as . According to [11,Subsection 2.5.2], .
where and the value of the quantity m does not depend on selection of the element T. We will call the value of at point the order m and denote it as .
The divisor D on the projective curveis a formal sum of the following kind:

Monotonicity of the Properties c-TA and c-FP
Proofs of statements (2) and (3) follow from statement (1) and Lemma 1.

BOUNDS FOR THE PROPERTY c-FP Let us formulate a theorem about the bounds of compromising set for the c-FP property. Theorem Let be a plane smooth projective curve. Let us consider AG code . Then
If Q is a unique infinite point on -, , and then: If genus of curveis zero and , i.e., the code is Reed-Solomon code (see Note 1), then estimates in the theorem turn into equality from [5]. Let us prove this theorem after a few auxiliary lemmas. Lemma 2. Let us consider AG code . Then: Proof. Let , be an arbitrary codeword, be an arbitrary coalition, be an arbitrary descendant of the coalition . Obviously, . To prove the lemma, it is enough to show that, if , then the estimate is satisfied. Now let us assume that , but . Since ω is a descendant of the coalition , for each number there is such a number that Since power of the coalition is c, there is a number such that Then, due to the fact that , we obtain: which is impossible according to Theorem 1. Thus, . In this way, Further we will need some auxiliary constructions. Let be a plane smooth projective curve and be a set of all points on the curve. We will call this set the set of finite points of the curve. Let us introduce two relations of equivalence in it: The relation ∼ 1 splits P into classes of equivalence: (4) the relation ∼ 2 splits P into classes of equivalence: (5) where are points from P and are powers of factor classes and , correspondingly.
We will call the value the index of the set P by the first coordinate, and the value the index of the set P by the second coordinate. Obviously, It is easy to check that, if both indices are 1, then the set P consists of a single point. In this way, if , then one of the indices is also greater than 1. Let us formulate and prove the following technical key theorem, the proof of which is quite tedious.
Proof. Let us assume that the lemma is proved for , i.e., we can build a coalition , such that Let us consider an arbitrary vector , a coalition , and a vector Since C is a linear code, , , and In this way, if the lemma is true for , then it is also true for any other Now, let us prove the lemma in the assumption that Let Let us first consider the case, when and split the proof into several steps. I. Let us consider the set . Since, according to the construction of the AG code, , , and Q is the only infinite point on the curve -, P does not contain infinite points, i.e., points of kind . Thus, the set P is a subset of the set of finite points of the curve; moreover, since , one of the indices of P is greater than 1 (see (4), (5)). Without loss of generality, we will assume that is greater than 1 and consider classes of equivalence . Let us renumerate the set P so that the following condition is satisfied for the first points from P: II. Since the coalition is a set of code vectors, each of which represents an image of some rational function from Riemann-Roch space under the coding map, to build the sought coalition, it is firstly necessary to present the corresponding set of rational functions.
Let us first build auxiliary polynomials for the sought rational functions. We will consider a few cases.
(a) Let Then we will consider the following polynomials in the ring (see (4)): For each and point : Power of each equals to δ. (b) Now, let , in addition, and Then we will consider the following polynomials in the ring : For each and point Power of each does not exceed δ. Let us consider a set of nonzero polynomials of power not greater than δ, which do not coincide with . There are such polynomials. Then as we will take such polynomials from this set that for some . (c) Now, let , moreover, , but Then the following polynomials can be considered in the ring : . IV. Now, let us construct the sought descendant ω for each of the cases (a)-(d) considered in step II.
In case (a) the coalition (see (12)) due to (7) and (11) is denoted as follows: Let us consider the descendant of the coalition : where for each the value of is set as an arbitrary element from . Clearly, By construction, In case (b) the coalition due to (8) and (11) is denoted as follows: Let us construct the descendant ω as follows. As , where , we will take zero from the vector , which is on the ith position there. Note that for any position j such that point lies in one of the equivalence classes . Then, since by construction the value of is zero at any point from , also including . Therefore, for any such a position j we can select In this way, combining only first vectors, we can select the descendant ω coinciding with zero vector. Then, In case (c) the coalition due to (9) and (11) is denoted as follows: Let us construct the descendant ω. As , where , we will take zero from the vector , which is on the ith position there. If , then as the element of position i we will take zero from the vector , which is also on the ith position there. Similarly to the previous case, for each position j such that , lies in one of the equivalence classes . Then, since the value of is zero at any points from . Therefore, for any such a position j we can select Combining all the c vectors, we can select the descendant ω coinciding with zero vector: In case (d) the coalition due to (10) and (11) is denoted as follows: Let us construct the descendant ω in this case. As , where , we will take zero from the vecor , which is on the ith position there. If , then as the element on position i we will take zero from the vector , which is also on the i-th position there. Similarly to the previous case, for any position j such that , there is a number m such that Therefore, for any such a position j we can select Then combining first vectors we can select the descendant ω coinciding with zero vector: So in all the variations, when , there is such a descendant ω of the coalition , that In this way, the lemma is proved in the case . Now let us consider the case Let us build the coalition in this case. Let then The set of polynomials and the first elements of the coalition in the same way as was described above for case at steps II and III. Now, it is necessary to finish building the coalition until the required power c. If cases (b), (c), or (d) are realized at step II for , then, as shown at step IV, already zero vector can be selected as the descendant of the built coalition of power . Thus, any of the left nonzero code vectors can be taken as the rest members of the coalition.
Let us assume that case (a) is realized at step II for . If , then there is no need for additional constructions, since a zero vector can already be selected as the descendant of the built coalition of power and any nonzero code vectors can be taken as the remaining members of the coalition. If contain zeros. In this case, we will select the remaining members of the coalition as arbitrary nonzero code words, which do not coincide with already constructed members of the coalition. Zero vector can be selected as a descendant of the built coalition. Indeed, first positions can be filled with zeros similarly to the case when and the other positions can be filled with zeros located on the same positions in the vector .
In this way, the coalition is built. Zero vector can be selected as . Then So, the lemma is also proven in case when . The proof of the previous lemma is quite tedious, but contains description of the method to build a coalition c by the given power and code vector and such its descendant ω that coincides with in not less Therefore, and the classes can be used when building the sought coalition. Enumeration of the points corresponds to the requirement set in the lemma that . In our case and Case (a) at step II from Lemma 3 corresponds to such a set of parameters. Therefore, we can build the coalition and the descendant ω such that The polynomials are denoted as follows: and read Then, become From Note 2 in [7] and Theorem 2.23 in [10] we obtain  Let us consider AG code of L-construction and code vector . Note that, according to Note 1, this code is a Reed-Solomon code.
Let us build the coalition of this code of power c using the algorithm from Lemma 3. The classes of equivalence by the first coordinate can be built as follows: Index equals 8. Note that the index by the second coordinate equals 1. It can be easily seen that by construction of the classes the required numeration is already done. In our case The second case from Lemma 3 corresponds to such a set of parameters. In this case, we can build the coalition and the descendant ω such that According to the algorithm, first we have to build polynomials by the algorithm from step II, replacing c with . In this case, case (a) from step II, when , is present.   . Then, the coalition of these two vectors is guaranteed to generate the descendant : we will take the first five zeros from the first vector and the last three from the second one. We obtain The sought coalition is built. Proof of Theorem 3. (1) Let us first prove that To check this inequality, it is enough to show that, if , then the code C possesses the c-FP property.
Let , then and . Due to Lemma 2 we obtain: Therefore, this exactly means that C is a c-FP code.
(2) Now let us prove that if Q is the only infinite point of the curve -,

, and then
Let be an arbitrary integer such that . To prove the sought estimate, it is enough to show that at the number of attackers the considered property is not satisfied. Due to (6) from Lemma 3,

According to the assumption , thus
This means that ; consequently, . This exactly means that the FP property is not satisfied; as a result, . Theorem 3 is proven.

BOUNDS FOR THE PROPERTY c-TA
Let us formulate a theorem about the bounds of the property c-TA.

Theorem 4. Let be a flat smooth projective curve. Let us consider AG code . Then
If Q is the only infinite point on -, , and then: Proof. The first statement was proven in Theorem 1 from [7].
Let us prove the second statement. Let as above in Lemma 3. To prove this statement, it is enough to show that is c is an arbitrary number such that then, C is not a c-TA code. Then, in the assumption that , we obtain: Let be an arbitrary code word. According to definition of c-TA, to confirm that this property is not satisfied, it is enough to show that:

As
and ω we will consider the coalition built in Lemma 3 and its descendant ω and show that the sought inequalities are satisfied. Without loss of generality, let us assume that and the equivalence classes are used for building the coalition (see (4) and (5)).
Let us consider two cases. This means that the property c-TA is not safisfied at the given conditions.
(2) Let In case, when , it is shown in Lemma 3 that i.e., . This means that C is not a c-FP code. Similarly, in case it follows from the second statement in Theorem 3 that C is not a c-FP code. Therefore, at the code C is not a c-TA code as well (see (1)). In this way, it was shown that, if c is an arbitrary number such that , then the considered TA property is violated. The theorem is proven.
If genus of the curveis zero and , i.e., the code is a Reed-Solomon code (see Note 1), then estimates in the theorem turn into estimates from [5]: .